When the ISA firewall is configured as a forward proxy server, the web proxy listener is configured to use integrated authentication by default.
A web proxy client makes its initial request anonymously. If there are no policies allowing anonymous access to the requested destination, the ISA firewall responds with a challenge for authentication in the form of an HTTP 407 response (proxy authentication required).
The client then resubmits the request, this time providing credentials to the firewall. This transaction is completely transparent to the end user. The credentials supplied to the ISA firewall are that of the current logged on user. If the user does not have permission, the ISA firewall denies the request without prompting. This behavior is by design.
There are situations in which this behavior is not desirable. Recently I was working with a customer who had workstations configured to log on automatically with a non-privileged domain service account. These workstations were used to access a web-based application on the local intranet. There are times when privileged users will need access to the Internet from these systems, but they will need to do so without logging the service account off. To meet these requirements we needed to configure the ISA firewall to prompt authenticated users for credentials if they are initially denied access.
Making this change required setting the value of the ReturnAuthRequiredIfAuthUserDenied property of the web proxy listener to ‘true’. When configured, the ISA firewall will prompt authenticated users for credentials when they are denied access. This change cannot be made via the management console; it can only be configured programmatically. The MSDN reference for this property contains a VBScript that is used for changing this setting, or you can download the script here. Run the script from the command line on the ISA firewall with the argument ‘true’ to enable prompting for authenticated users who are denied access and ‘false’ to disable it.
For example…
ReturnAuthRequiredIfAuthUserDenied.vbs true
…enables the prompting of authenticated users who are denied access, and…
ReturnAuthRequiredIfAuthUserDenied.vbs false
…disables it.
Excellent article Rich!
Great feature, Richard!
I was looking for such mechanism something about a half of year
Excellent Info – Thx for running your blog!
Maybe it´s worth to mention that the script keeps looking for ISA-networks with the property network.NetworkType == 4 (const describing the Internal Network) and changes the option only for this network. Do know if “network.WebListenerProperties.ReturnAuthRequiredIfAuthUserDenied” works only for the http-Proxy-Listener or does it affect also your own Listeners on that network (e.g. for publishing your http Apps in another DMZ) ? Can this be change on a per-listener-basis ?
rgds
Robert
Excellent point, Robert. The script makes this property change only for web listeners configured on the default Internal network object. I don’t believe there is a distinction being made between the web proxy listener and another user-defined web listener. You certainly could alter this script to make this change on a specific listener on the Internal network, or to make the change on network objects other than the Internal network.
[...] http://tmgblog.richardhicks.com/2009/08/10/configu…users/ [...]